[Mipshop] RE: Review of draft-vidya-mipshop-handover-keys-aaa-00.txt

[Narayanan Vidya-CVN065 <vidya at motorola.com>]

So, the real question here is - should we do a handover key request/response exchange between the MN and AR embedded in the PANA protocol (and then embedded in some EAP method between the AR and AAA server) or if we should have that as a separate protocol. 

If I understand correctly, you are proposing that it should be an extension to PANA and an EAP method that allows it - right? 

So, lets say we choose to do this using PANA. Lets consider this scenario: 

The MN associates with an AP, does 802.11i and gains network access. The AP itself is not doing PANA, so, this is just link layer access. Now, the MN needs to talk PANA with the AR to get a handover key. Does an entire EAP method exchange have to happen again for this key to be derived? Or, am I missing something big here? 

When PANA itself is used as the EAP encapsulation for network access, I can see how tying it to PANA will work fine. When network access is via EAP encapsulated in a lower layer protocol (where the entity terminating the lower layer protocol is different from the AR), will this not result in two separate EAP method exchanges? 

I have not read PANA in detail yet - so, maybe I am missing the picture. I will spend some time reading it in more detail. Meanwhile, please pardon my stupid questions. 

Regards,
Vidya


> -----Original Message-----
> From: James Kempf [mailto:Kempf at docomolabs-usa.com] 
> Sent: Wednesday, July 20, 2005 11:31 AM
> To: Julien Bournelle
> Cc: Narayanan Vidya-CVN065; mipshop at ietf.org; 
> mobopts at irtf.org; Gerardo Giaretta; Julien Bournelle; 
> 'Tschofenig, Hannes'; Venkitaraman Narayanan-CNV002
> Subject: Re: Review of draft-vidya-mipshop-handover-keys-aaa-00.txt
> 
> 
> >  We could certainly define a way to provide a key both for 
> MN and AR  
> > during the network authentication phase.  EAP provides a 
> way to create  
> > key for application (AMSK) (Appendix A of our draft).  Thus 
> we need to 
> > define a key specific for  FMIPv6 and a way for the EAP 
> authenticator 
> > to push the keying material  to appropriate AR (not defined in the 
> > current draft).
> >
> >  The problem that I can see is after IP handover, how do 
> the MN get a  
> > new key ? If we continue to rely on EAP, it will imply a  
> > reauthentication from scratch.
> >
> 
> One of two ways:
> 
> 1) The MN has actually reauthenticated for network access 
> from scratch in order to establish its session key with the 
> new AR/AP, and in the process obtained a handover key. In 
> 802.1x, that is, in fact, currently the only way I believe, 
> though the 802.11r WG is looking to change this.
> 
> 2) The MN has performed preauthentication with a collection 
> of AR/APs around the current one, and so has a key already available.
> 
>             jak
> 
> 

_______________________________________________
Mipshop mailing list
Mipshop at ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop